Does your college or university comply with the payment card industry’s (PCI) data security standards (DSS)? To avoid fines and possible service interruptions, our PCI DSS specialists can access your situation, recommend needed remediation, and help with compliance.

Data Security (PCI DSS)

Can you imagine if your registrar’s office could not accept credit and debit card payments for tuition and fees? That could happen if you do not meet the requirements of the Payment Card Industry (PCI) to document your data security standards (DSS).

PCI DSS compliance is required for all organizations, including higher educational institutions, hospitals, and retailers that store, process, or transmit cardholder data. The number of cardholder transactions performed annually determines the process necessary to obtain PCI DSS compliance.

For higher education institutions that transmit fewer than six million transactions annually, the process starts with the proper selection and completion of a self-assessment questionnaire (SAQ). As stated in the SAQ, annual internal vulnerability scanning, quarterly external vulnerability scanning (performed by a PCI approved scanning vendor), and penetration testing are PCI DSS requirements for compliance. See full details below:

Compliance Requirements*

Number of transactions per annum

Self assessment questionnaire (SAQ)

Network security scan by an ASV

On-site audit by a QSA

More than 6 million

N/A

Required Quarterly

Required Annually

1 to 6 million

Required Annually

Required Quarterly

N/A

20,000 to 1 million

Required Annually

Required Quarterly

N/A

All others

Required Annually

Required Quarterly

N/A

*This is Visa, Inc.'s standard

Penalties for PCI DSS non-compliance can be steep

If universities and colleges do not meet PCI DSS requirements, major payment card companies, like American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., can deny them access to their credit services.

How to protect your organization?

Plante Moran is a PCI qualified security assessor (QSA) and a PCI DSS approved scanning vendor (ASV). Our experienced team of technology experts that specialize in higher education can help you through the PCI DSS requirements. Our technology specialists can help you figure out your path to PCI DSS compliance by assessing your current situation. Do you need an onsite assessment or can you complete a self-assessment questionnaire (SAQ)? If you have to do an SAQ, our consultants can help determine which version you need to complete, as there are multiple versions of the PCI DSS SAQ.

Once it is decided which version you should use, our technology professionals also can assist you with:

Should any deficiencies be detected in the scans, you can depend on our specialists to recommend cost-effective ways to remedy them, thereby mitigating your risk. If needed, a follow-up scan will be performed to satisfy the PCI DSS requirements.

PCI DSS vulnerabilities detected; remediation recommended

Once all facets of the assessment are complete, we will provide you with a management level report which displays summaries of total vulnerabilities found, including the level of risk for each vulnerability, and your overall PCI DSS compliance status. An in-depth report on the vulnerabilities detected, as well as recommendations for remediation of each finding, will go to your IT staff.

Podcasts

​“We’ve worked with Plante Moran on a wide variety of consulting projects, including a new ERP system, storage area network, video on demand, and process redesign. Their technology team guided us through these projects, providing technical and business expertise. Their knowledge and professionalism gave us the comfort level we needed to make decisions and move forward. We plan on working with them for many more years and will continue to depend on them as we work with other two‐year schools in Ohio to create a shared services environment.”